Behavioral Information Security Brief Overview

1
Behavioral Information SecurityBrief Overview

• Jeffrey M. Stanton, Ph.D.
• Syracuse University
• School of Information Studies
• January 30, 2003

2
Introduction

• Bruce Schneier, author of Applied Cryptography
  writes in his 2000 book, Secrets and Lies
• Security, palpable security that you or I might
  find useful in our lives, involves people things
  people know, relationships between people, people
  and how they relate to machines.

3
Some Notes from the Field

• Eighty percent of all network security managers
  who were surveyed at the Gartner Information
  Security Conference in Chicago, claim their
  biggest security threat comes from their own
  employees. (Bob Woods, Jupiter Research)
• online security isn't about the technology,"
  (Laura Rime, vice president of Identrus LLC, an
  organization established by eight leading banks
  to develop standards for electronic identity
  verification for e-commerce.)
• People regularly lock their houses, demand
  airbags in their vehicles and install smoke
  alarms in their homes. But put them in front of a
  computer, and you'd think the word security was
  magically erased from their brains. People are
  more careless with computers than perhaps any
  other thing of value in their lives. (Alan
  Horowitz, Computerworld)

4
Some Titles of Recent Practitioner Articles

• "Can Someone Help Me Remember My Password,
  Please?" (Revolution)
• "Lack of Training Leads To Serious Security
  Lapses" (Personnel Today)
• "People Are The Weak Links In IT Security" (The
  Argus)
• "Users Spill Password Beans" (Newwork News)
• "Preventing Information Loss Strengthening a
  Weak Link" (SecurityPortal)
• "Employees Your best defense, or your greatest
  vulnerability" (searchSecurity.com)
• "Human Error May be No. 1 Threat to Online
  Security" (Computerworld)
• "The Weakest Link" (Interactive Week)
• "Panel Better privacy and security require
  'cultural evolution'" (Computerworld)

5
Four Disciplines (adapted from Joon Parks paper
with Montrose and Froscher)
6
Work Motivation Personnel Psychology Focus
on Security Behavioral InfoSec

• Behavioral Information Security
• Defined as
• complexes of human action within organizations
  that influence the availability, confidentiality,
  and integrity of information systems and
  resources
• Mindsets and motivations of individuals whose
  actions have positive and negative influences on
  information security

7
Research Agenda

• Basic research questions
• What kinds of behaviors do organizational members
  enact that enhance or detract from information
  security?
• What theories of work motivation can account for
  these behaviors?
• How do effective org. members differ from
  ineffective members with respect to KSAOs
  Knowledge, skills, abilities, and other
  (attitudes, commitment, etc.)
• What organizational interventions could be
  designed to promote the enactment of positive
  security behaviors? To decrease the incidence of
  negative security behaviors?

8
Research Phases
9
Phase 1 Taxonomy of InfoSec End User Behaviors
in Organizations

• Method Interviews with Subject Matter Experts
• Information security specialists
• Regular employees who use information technology
• Information technology professionals and managers
• Status
• 110 interviews completed and transcribed
• Behavioral descriptions extracted, redundancies
  removed
• 94 discrete, but overlapping behaviors, e.g., He
  brought a wireless gateway device into his
  office, and installed it on the network without
  authorization.

10
Expert -------- Expertise ---------Novice
Unintentional(In)security
AwareAssurance
Intentional Destruction
DangerousTinkering
BasicHygiene
Detrimental Vexation
NaïveMistakes
Benevolent ----------- Intentions -----------
Malicious
11
Taxonomy Tests Successful categorization by 49
judges
12
Taxonomy Test Behavioral Areas and Judge
Disagreement
13
Phase II Comparative Analysis of Motivational
Frameworks

• Competing motivational frameworks Behavioristic,
  Social Learning, Social Exchange, Goal setting,
  Intrinsic Motivation, Control Theory,
  Identity-based
• Identify key constructs from a subset of these,
  e.g., incentives and sanctions, leadership and
  social norms, goals, organizational
  identification and commitment
• Deploy a field survey with key constructs and
  criterion measures

14
Regulatory Structures
Incentivized Policies
Normative Guides to Behavior
Behavioral Exemplars

Information
Technology
15
Phase III Experimental Test of Motivational
Intervention

• Adopt the most promising motivational theories
  and constructs from the previous phase
• Develop an intervention that can be tested in a
  controlled environment
• For example Test a goal setting intervention
  designed to increase information security
  self-education
• Pre-test knowledge, implement manipulation or
  control, permit self-education, measure security
  behavior, post-test knowledge

16
Phase IV Organizational Test of Motivational
Intervention

• Based on results of experiment, adapt
  intervention for use in actual organizations
• Locate and cultivate partner organizations
• Implement a non-equivalent control group design
  with pre-test, post-test, and compensatory
  intervention
• Measure security behavior and knowledge, but also
  develop outcome measures

17
Other BIsec Research Projects

• Marcinkowski Dissertation Motivational and
  communicational aspects of organizational
  information security policies
• Motivation dynamics study focusing on system
  administrators rather than users
• Behavioral taxonomy (and therefore DVs) change
• Motivational structures may change, since
  responsibility for security is a core job role
  rather than a set of discretionary behaviors
• SIOP Foundation Project on criterion validation
  Making an explicit link between user behavior and
  organizational information security outcomes

18
Other BIsec Research Projects

• Organizational security culture Assessing how
  collective paranoia and other aggregate level
  constructs may influence information security
• Security behavior in peer to peer information
  transactions How peers/users balance trust and
  secrecy
• New behavioral domains Consumers, military and
  intelligence personnel